Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to update an indexer cluster?

scheckenbachb
Explorer
‎10-05-2016 11:33 PM

Hi everyone,
I have to update (6.1.8 -> 6.4.3) a Splunk deployment build of 1 Master, 2 Search Heads (non-pooled), 2 indexer (cluster) and a few forwarder. I've check the manuals, but I'm still unsure what the correct process is. Especially the indexer cluster.
Must I take both indexer and master down until all three are updated?

Regards,
Bernhard

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-06-2016 02:59 PM

I have updated indexer clusters from 6.3 to 6.4 using the following procedure

  1. Take the cluster master offline and update it. Restart.
  2. Put the cluster in maintenance mode.
  3. Update each indexer and then restart it. As an indexer restarts, it should rejoin the cluster.
  4. After all indexers are updated, turn off maintenance mode.
  5. Wait until the indexer cluster stabilizes - it should quickly catch up on its replication.
  6. Update and restart the search heads one at a time.
  7. The forwarders do not need to be updated, but if you want to update them, you can do it at any time.

From 6.1.8 to 6.4.3 is a larger "jump." I would be less confident with that. But you could take down all the Splunk indexers and the cluster master in step 1 (ie, stop Splunk on all of them). Then update the master and put it in maintenance mode. Continue with step 3. That is a more conservative approach. The cluster will be offline slightly longer.

Do use maintenance mode.

View solution in original post

Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎10-09-2016 03:12 PM

Hi @scheckenbachb - Did the answers provided by lguinn or ChrisG help at all? If so, please don't forget to resolve this post by clicking "Accept" below the best answer and up vote any comments you found helpful. If not, please provide some more feedback by leaving a comment. Thank you!

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎10-06-2016 03:44 PM

Are you following the procedure in Upgrade an indexer cluster, in the Managing Indexers and Clusters of Indexers manual? The steps are pretty clear. You have to stop the master and all the peers and search heads, yes. And lguinn is right (as always), you want to use maintenance mode. You also want to use splunk stop to bring the peers offline, not splunk offline. See the docs!

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-06-2016 02:59 PM

I have updated indexer clusters from 6.3 to 6.4 using the following procedure

  1. Take the cluster master offline and update it. Restart.
  2. Put the cluster in maintenance mode.
  3. Update each indexer and then restart it. As an indexer restarts, it should rejoin the cluster.
  4. After all indexers are updated, turn off maintenance mode.
  5. Wait until the indexer cluster stabilizes - it should quickly catch up on its replication.
  6. Update and restart the search heads one at a time.
  7. The forwarders do not need to be updated, but if you want to update them, you can do it at any time.

From 6.1.8 to 6.4.3 is a larger "jump." I would be less confident with that. But you could take down all the Splunk indexers and the cluster master in step 1 (ie, stop Splunk on all of them). Then update the master and put it in maintenance mode. Continue with step 3. That is a more conservative approach. The cluster will be offline slightly longer.

Do use maintenance mode.

Reply
Solved! Jump to solution

paimonsoror
Builder
‎10-09-2016 07:25 PM

This is great information. I am looking to upgrade from 6.4 to 6.5 soon for our environment, and your post added some confidence to my planning 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...